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Abstract 


This document specifies the conventions for using the AES-GMAC Message Authentication Code 
algorithm with the Cryptographic Message Syntax (CMS) as specified in RFC 5652. 


Status of This Memo 
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1. Introduction 


This document specifies the conventions for using the AES-GMAC [AES] [GCM] Message 
Authentication Code (MAC) algorithm with the Cryptographic Message Syntax (CMS) [RFC5652]. 


2. Terminology 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD 
NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to 
be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in 
all capitals, as shown here. 


3. Message Authentication Code Algorithms 


This section specifies the conventions employed by CMS [RFC5652] implementations that support 
the AES-GMAC [AES] [GCM] Message Authentication Code (MAC) algorithm. 


MAC algorithm identifiers are located in the AuthenticatedData macAlgorithm field. 
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MAC values are located in the AuthenticatedData mac field. 


3.1. AES-GMAC 


The AES-GMAC [AES] [GCM] Message Authentication Code (MAC) algorithm uses one of the 
following algorithm identifiers in the AuthenticatedData macAlgorithm field; the choice depends 
on the size of the AES key, which is either 128 bits, 192 bits, or 256 bits: 


aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(84@) 
organization(1) gov(1@1) csor(3) nistAlgorithm(4) 1 } 

id-aes128-GMAC OBJECT IDENTIFIER ::= { aes 9 } 

id-aes192-GMAC OBJECT IDENTIFIER ::= { aes 29 } 

id-aes256-GMAC OBJECT IDENTIFIER ::= { aes 49 } 


For all three of these algorithm identifier values, the AlgorithmIdentifier parameters field MUST 
be present, and the parameters MUST contain GMACParameters: 


GMACParameters ::= SEQUENCE { 
nonce OCTET STRING, -- recommended size is 12 octets 
length MACLength DEFAULT 12 } 

MACLength ::= INTEGER (12 | 13 | 14 | 15 | 16) 


The GMACParameters nonce field is the GMAC initialization vector. The nonce may have any 
number of bits between 8 and (2464)-1, but it MUST be a multiple of 8 bits. Within the scope of 
any content-authentication key, the nonce value MUST be unique. A nonce value of 12 octets can 
be processed more efficiently, so that length for the nonce value is RECOMMENDED. 


The GMACParameters length field tells the size of the message authentication code. It MUST 
match the size in octets of the value in the AuthenticatedData mac field. A length of 12 octets is 
RECOMMENDED. 


4. Implementation Considerations 


An implementation of the Advanced Encryption Standard (AES) Galois/Counter Mode (GCM) 
authenticated encryption algorithm is specified in [GCM]. An implementation of AES-GCM can be 
used to compute the GMAC message authentication code by providing the content-authentication 
key as the AES key, the nonce as the initialization vector, a zero-length plaintext content, and the 
content to be authenticated as the additional authenticated data (AAD). The result of the AES- 
GCM invocation is the AES-GMAC authentication code, which is called the "authentication tag" in 
some implementations. In AES-GCM, the encryption step is skipped when no input plaintext is 
provided; therefore, no ciphertext is produced. 
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The DEFAULT and RECOMMENDED values in GMACParameters were selected to align with the 
parameters defined for AES-GCM in Section 3.2 of [RFC5084]. 
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5. ASN.1 Module 


The following ASN.1 module uses the definition for MAC-ALGORITHM from [RFC5912]. 
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CryptographicMessageSyntaxGMACAlgorithms 
{ iso(1) member-body(2) us(84@) rsadsi(113549) 
pkcs(1) pkcs-9(9) smime(16) modules(@) 
id-mod-aes-gmac-alg-2020(72) } 


DEFINITIONS IMPLICIT TAGS ::= 
BEGIN 


=- EXPORTS All 
IMPORTS 
AlgorithmIdentifier{}, MAC-ALGORITHM 
FROM AlgorithmInformation-2009 -- from [RFC5912] 

{ iso(1) identified-organization(3) dod(6) internet(1) 
security(5) mechanisms(5) pkix(7) id-mod(@) 
id-mod-algorithmInformation-02(58)} ; 

-- Object Identifiers 


aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(84@) 
organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } 


id-aes128-GMAC OBJECT IDENTIFIER ::= { aes 9 } 
id-aes192-GMAC OBJECT IDENTIFIER ::= { aes 29 } 
id-aes256-GMAC OBJECT IDENTIFIER ::= { aes 49 } 


-- GMAC Parameters 


GMACParameters ::= SEQUENCE { 
nonce OCTET STRING, -- recommended size is 12 octets 
length MACLength DEFAULT 12 } 

MACLength ::= INTEGER (12 | 13 | 14 | 15 | 16) 


-- Algorithm Identifiers 


maca-aes128-GMAC MAC-ALGORITHM ::= { 
IDENTIFIER id-aes128-GMAC 
PARAMS TYPE GMACParameters ARE required 
IS-KEYED-MAC TRUE } 


maca-aes192-GMAC MAC-ALGORITHM ::= { 
IDENTIFIER id-aes192-GMAC 
PARAMS TYPE GMACParameters ARE required 
IS-KEYED-MAC TRUE } 


maca-aes256-GMAC MAC-ALGORITHM ::= { 
IDENTIFIER id-aes256-GMAC 
PARAMS TYPE GMACParameters ARE required 
IS-KEYED-MAC TRUE } 


END -- of CryptographicMessageSyntaxGMACAlgorithms 
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6. IANA Considerations 


IANA has registered the object identifier shown in Table 1 in the "SMI Security for S/MIME 
Module Identifier (1.2.840.113549.1.9.16.0)" registry. 


Decimal Description References 
2: id-mod-aes-gmac-alg-2020 RFC 9044 
Table 1 


7. Security Considerations 


The CMS provides a method for authenticating data. This document identifies the conventions 
for using the AES-GMAC algorithm with the CMS. 


The key management technique employed to distribute message-authentication keys must itself 
provide authentication; otherwise, the content is delivered with integrity from an unknown 
source. 


When more than two parties share the same message-authentication key, data origin 
authentication is not provided. Any party that knows the message-authentication key can 
compute a valid MAC; therefore, the content could originate from any one of the parties. 


Within the scope of any content-authentication key, the AES-GMAC nonce value MUST be unique. 
Use of a nonce value more than once allows an attacker to generate valid AES-GMAC 
authentication codes for arbitrary messages, resulting in the loss of authentication as described 
in Appendix A of [GCM]. 


Within the scope of any content-authentication key, the authentication tag length (MACLength) 
MUST be fixed. 


If AES-GMAC is used as a building block in another algorithm (e.g., as a pseudorandom function), 
AES-GMAC MUST be used only one time by that algorithm. For instance, AES-GMAC MUST NOT be 
used as the pseudorandom function for PBKDF2. 


When initialization vector (IV) lengths other than 96 bits are used, the GHASH function is used to 
process the provided IV, which introduces a potential for IV collisions. However, IV collisions are 
not a concern with CMS AuthenticatedData because a fresh content-authentication key is usually 
generated for each message. 


The probability of a successful forgery is close to 24(-t), where t is the number of bits in the 
authentication tag length (MACLength*8). This nearly ideal authentication protection is achieved 
for CMS AuthenticatedData when a fresh content-authentication key is generated for each 
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message. However, the strength of GMAC degrades slightly as a function of the length of the 
message being authenticated [F2005] [MV2005]. Implementations SHOULD use 16-octet 
authentication tags for messages over 264 octets. 


Implementations must randomly generate message-authentication keys. The use of inadequate 
pseudorandom number generators (PRNGs) to generate keys can result in little or no security. An 
attacker may find it much easier to reproduce the PRNG environment that produced the keys, 
searching the resulting small set of possibilities, rather than brute-force searching the whole key 
space. The generation of quality random numbers is difficult. [RFC4086] offers important 
guidance in this area. 


Implementers should be aware that cryptographic algorithms become weaker with time. As new 
cryptanalysis techniques are developed and computing performance improves, the work factor 
to break a particular cryptographic algorithm will reduce. Therefore, cryptographic algorithm 
implementations should be modular, allowing new algorithms to be readily inserted. That is, 
implementers should be prepared to regularly update the set of algorithms in their 
implementations. More information is available in BCP 201 [RFC7696]. 
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